-----BEGIN PGP SIGNED MESSAGE-----

Seems there's a fair bit of FUD spreading around about Windows XP
(Whistler), RAW Sockets, and DDoS'. Though NTBugtraq isn't the place
for discussions of beta products, an explanation is needed to keep
things in perspective.

Some facts:

1. Windows 9x/ME/NT/2000 can all spoof IP addresses. That you don't
know how without a reboot doesn't make it less possible. NT/2000 and
Whistler all make it preventable (meaning the new OS is better than
the old, no?)

2. The ability to spoof addresses is not solely a function of some
obscure Winsock call, its a function of the configuration of the
machine. Spoofing an address is equal to having an address, ergo the
only way to prevent it at the OS is to enforce some restriction on
what IP address the machine can have/use. How does the OS know an
approved one from one not approved?

3. Virtually all other OS' can spoof IP addresses too. The recent
sadminD worm got to at least 600 vulnerable Solaris boxes and allowed
them to originate spoofed packets. There are hundreds of thousands
(or more) non-MS boxes out there (and more coming), with
vulnerabilities, that could spoof packets and be used (and have been
used) in a DDoS, so the adoption of Whistler is hardly creating a
problem we don't already face.

4. DDoS', by their very nature, can only be thwarted with the
cooperation of numerous parties;

a) ISPs and owners of Internet Gateways (read
corporate/government/educational institution pipes) must establish,
and maintain, agreements amongst themselves to ensure that Egress
Filtering is in place. Egress filtering ensures that only valid
(owned and/or assigned) IP addresses can be used as source addresses
for any outbound packet from a given network. In CISCO IOS
environments, a simple outbound filter with its first rule set to
permit valid IP addresses would suffice, and would not seriously
impact 95% of routers performance.

Egress filtering stops spoofed packets cold. If you're not stopping
the problem from originating from your network, you're part of the
problem.

TruSecure Corporation formed the Alliance for Internet Security
specifically to bring this issue to the fore. Have a look at;

http://www.trusecure.com/html/tspub/hypeorhot/alerts/old/index2.shtml

for a decent list of links that describe the problem, and problems
with solutions.

Also See RFC 2827, http://www.isi.edu/in-notes/rfc2827.txt, Best
Current Practice 38 on Ingress filtering and DDoS'.

b) ISPs must cooperate with other ISPs in order to identify the
actual source of spoofed packets. TruSecure's ISP Security Consortium
is one way for cooperation, but in lieu of legislation, contractual
cooperation may be necessary. ISPs do it now for BGP, it could be
done for packet spoofing as well. (this is the simplistic remark,
there are lots of issues here but cooperation needs to improve and
contractual agreements need to incorporate anti-spoofing sections).
They must also respond more seriously to attacks originating from
their networks, many ISPs are woefully unprepared to handle a query
about a node on their network.

c) Owners/Administrators of potential attack machines need to ensure
they don't get compromised. This means everyone, not just users of
Microsoft operating systems. Mechanisms should be established for
verifying that a machine meets a, to be defined, minimum standard. If
ISPs are going to be held liable (and there's indications that is
coming), they will in turn hold their customers liable (or charge a
premium to customers who can't or won't be verified).

Summary:

Gibson suggests the problem is in the OS, and/or the marketing of it.
He's oblivious to the realities of consumers and business as it is
today. Were his beliefs true, dramatically restricted network devices
would dominate the landscape...clearly they don't. Consumers don't
want restrictions, they want security, and until one can be offered
without impeding the other they're not going to adopt anything that
purports to take something away.

To the issue of deployment of Whistler, there's business users and
there's home users. Business users are, or should be, handling their
security largely at gateways. A TruSecureism says its far easier to
handle a virus at a gateway device than it is to let the desktops try
and deal with it. Ergo Whistler's deployment in businesses is not
likely to create any additional problems to the net as a whole (and
there are far more business desktops than there are home desktops).

Home users should be encouraged, not discouraged, to get Whistler.
Its likely that every Whistler desktop will include a personal
firewall (the product is still in beta, so who knows what will
actually ship). Unlike TCPIP Filtering, which NT has had for ages,
this personal firewall component can log traffic that it denies.
Finally a forensic tool which might actually prove useful in tracing
back attackers. The more Whistler desktops deployed, the more likely
forensic evidence might exist to prosecute attackers. However
Gibson's FUD suggests there's reason not to deploy Whistler, nothing
could be further from the truth. Of course we're all going to have to
do a job to get the personal firewall turned on, but then that's
fairly normal.

Cheers,
Russ - Surgeon General of TruSecure Corporation/NTBugtraq Editor

-----BEGIN PGP SIGNATURE-----
Version: PGP Personal Privacy 6.5.2

iQCVAwUBOyZbdBBh2Kw/l7p5AQGx8QQAqJjHKLLHq23ehq3pQMgFO5FD/NuIRAQY
KaG/gdt+5MZsxiumZdahTBkcwVBpJGa8VATAfSEBMbZ72Xr4Pcl1msW0sLfiEaP6
IDx9uetlyIA2TAGsLDUlwWPhXfMMOvetQ9aqDYPdO9ulXGLxNrULRIfEleYls9+4
eS8nzwCufmg=
=apZa
-----END PGP SIGNATURE-----

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]